Re: [GIT PULL] Load keys from signed PE binaries

[Matthew Garrett]

On Thu, Feb 21, 2013 at 10:03:20AM -0800, Linus Torvalds wrote:

> Seriously, if somebody wants to make a binary module for Fedora 18 or
> whatever, they should go to Red Hat and ask whether RH is willing to
> sign their key. And the whole "no, we only think it makes sense to
> trust MS keys" argument is so f*cking stupid that if somebody really
> brings that up, I can only throw my hands up and say "whatever".

MS have infrastructure to do identity verification and actually run some 
kind of vaguely responsible CA, and I don't trust Red Hat to be able to 
do that. And if the machine's carrying Microsoft's key in its firmware 
then you *already* trust Microsoft, because if the bad guy can get 
something signed by them then he's already just replaced your bootloader 
instead of pissing about inserting modules. Using the hardware keys as 
the root of trust makes practical sense.

> Besides, let's face it, Red Hat is going to sign the official nVidia
> and AMD binary modules anyway. Don't even bother to pretend anything
> else.

I don't think there's any chance of them signing modules. But it's a 
given that RHEL's going to end up trusting keys owned by nvidia and amd 
somehow, and chances are that's going to be based on the Microsoft 
signing service. The question is whether there's a benefit in ensuring 
that the same key is trusted by RHEL, Ubuntu, Suse and everyone else or 
whether different kernels are going to have completely different 
policies.

-- 
Matthew Garrett | mjg59@xxxxxxxxxxxxx
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/